How can I properly set sudo/visudo's editor?

18

2

I am using Ubuntu 10.04 Server and trying to set up sudoers to respect a user's EDITOR choice (within limits)

In my sudoers I have:

Defaults        editor=/usr/bin/nano:/usr/bin/vim
Defaults        env_reset

And in the user .bashrc:

export EDITOR=/usr/bin/vim

$EDITOR is set:

$ echo $EDITOR
/usr/bin/vim

According to man sudoers this should be enough for $EDITOR to be set to vim:

editor  A colon (':') separated list of editors allowed to be used with visudo.
        visudo will choose the editor that matches the user's EDITOR environment
        variable if possible, or the first editor in the list that exists and is
        executable. The default is the path to vi on your system.

However nano is still being used for this user. A quick check of env:

$ sudo -- env | grep EDITOR

Returns nothing.

$ sudo -E -- env | grep EDITOR

Returns EDITOR=/usr/bin/vim

I am aware that I could do the following things to make EDITOR work:

  • Set env_editor, env_keep+=EDITOR or any other option that keeps the EDITOR variable in sudoers: I don't want to do this as it could allow arbitrary execution of anything (e.g. export EDITOR=~/bad_program_to_run_as_root)
  • Use sudo -E or even alias sudo='sudo -E': Defeats the point of having env_reset and users without SETENV (not something I want to give out: see previous point) get sudo: sorry, you are not allowed to preserve the environment
  • Set editor=/usr/bin/vim: But there are other users who don't know vim
  • Use sudo select-editor: Close, but sudo visudo still opens in nano
  • Just use sudoedit or vim directly: But then you lose the safety of tools like visudo, vipw, crontab -e.
  • Just deal with it: Probably, but if I'm missing some insight I would love to know

I've also tried setting the VISUAL and SUDO_EDITOR variables (in desperation)

Is there something I have missed that will make sudo visudo open in the users editor of choice, without making the compromises above?

EDIT:

I think I understand why this isn't working as I expect. I'm putting it down here in case anyone else has the same misconception.

In the sudoers file

Defaults        editor=/usr/bin/nano:/usr/bin/vim
  • Only refers to the list of editors that are allowed when running visudo (not any other program)
  • editor checks $EDITOR, but if running sudo visudo, sudo does not set $EDITOR, so when visudo runs it will be empty
  • Therefore the first editor is used, in this case nano

Can anyone confirm that this is correct?

I expected therefore that a safe solution would be to add:

Defaults!/usr/sbin/visudo env_keep+=EDITOR

i.e. keep EDITOR if and only if running visudo. This would then be checked against

Defaults                  editor=/usr/bin/nano:/usr/bin/vim

And if it didn't match either would use nano

Weirdly though, this doesn't seem to be the case:

$ sudo su - root
# export EDITOR=/bin/echo
# visudo
/etc/sudoers.tmp
visudo: /etc/sudoers.tmp unchanged

/bin/echo is used as the editor. Bug? Or another misconception?

Thanks

Mark C

Posted 2012-11-29T13:24:18.027

Reputation: 193

Answers

6

You are right that setting the EDITOR variable should change the editor used for sudo. However, there are two other variables with precedence over the EDITOR: SUDO_EDITOR and VISUAL. Make sure none of them point to some other editor like nano.

Guy

Posted 2012-11-29T13:24:18.027

Reputation: 181

The reason I upvoted is because so few answers make reference to VISUAL taking precedence over EDITOR. I thought my EDITOR variable was just being ignored. Turns out, in Centos7 both EDITOR and VISUAL seem to default to pico. – threeve – 2016-08-09T14:24:11.050

5

There's another solution as described here:

sudo update-alternatives --config editor

But it's not so friendly on a multi-user system as it only updates a symlink in /usr/bin/:

$ ls -l `which editor`
lrwxrwxrwx 1 root root 24 lip  4 19:37 /usr/bin/editor -> /etc/alternatives/editor

$ ls -l /etc/alternatives/editor
lrwxrwxrwx 1 root root 18 Jul  5 01:39 /etc/alternatives/editor -> /usr/bin/vim.basic

What happened to select-editor anyway? When I run it, it creates a file:

$ ls -l .selected_editor 
-rw-r--r-- 1 rld rld 75 Jul  5 01:54 .selected_editor

$ cat .selected_editor 
# Generated by /usr/bin/select-editor
SELECTED_EDITOR="/usr/bin/vim.basic"

But sudo visudo keeps using nano.

rld.

Posted 2012-11-29T13:24:18.027

Reputation: 404

3

In Debian 7, setting EDITOR in the environment didn't work.

To use Nano, I ended up adding the following line to /etc/sudoers

Defaults        editor="/usr/bin/nano"

kim3er

Posted 2012-11-29T13:24:18.027

Reputation: 405

WORKED LIKE A CHAMP on DigitalOcean Ubuntu 12.04. Thanks. – Joe Codeswell user601770 – 2015-05-11T16:42:27.467

Thank you. This also worked on Oracle Linux. (I like nano/pico.) – MikeP – 2019-01-15T19:52:01.890

1

env_reset does not keep a user from setting variables on the command line: 

$ sudo EDITOR=vim -- env |grep EDIT
EDITOR=vim

I find your findings about the editor option mildly shocking but unfortunately I don't know the answers to your secondary questions. One would think that the Ubuntu camp would have plenty of docs and configuration examples on this issue, perhaps we ought to look harder.

Ярослав Рахматуллин

Posted 2012-11-29T13:24:18.027

Reputation: 9 076

Asked: 2012-11-29T13:24:18.027

Viewed: 7 714 times

Active: 2014-10-07T09:04:58.727